Aadhaar data security – a hot topic since the introduction of the framework back in 2009 – is once again in the news. A three-month-long investigation claims to have uncovered a software patch that compromises the security of the data stored in Aadhaar identity database. The patch, which isn’t developed formally by the Unique Identification Authority of India (UIDAI), allegedly allows hackers to generate unauthorised Aadhaar numbers by disabling the security features of the official Aadhaar enrolment software. It is said to come at a one-time charge of as low as Rs. 2,500 and is reportedly already used by many enrolment operators across the country. The new hack is believed to have its roots in the decision that UIDAI took back in 2010 to speed up the enrolment process by opening it for private operators. Notably, the report highlighting the fresh Aadhaar patch emerges just ahead of the launch of face recognition facility by the Aadhaar-issuing body. The facility will bring face recognition in addition to iris and fingerprint scan to verify users.
HuffPost India is claiming to have gained access to the patch that has been verified by multiple experts. The patch is said to let a user bypass critical security features as biometric authentication of enrolment operators and disables the enrolment software’s pre-installed GPS security feature that is used to help UIDAI identify the physical location of enrolment centres. The removal of the GPS requirement would allow patch users to generate numbers from anywhere in the world. Further, the unofficial patch reportedly reduces the sensitivity of the iris-recognition system of the enrolment software, allowing a photograph of a registered operator to be used for authentication. All this makes it easier for anyone who has access to the patch to generate Aadhaar numbers “at will”.
“Whomever [sic] created the patch was highly motivated to compromise Aadhaar,” said Gustaf Björksten, Chief Technologist at Access Now, as quoted by HuffPost India. Björksten was among the analysts who analysed the patch. According to the report, the patch came into circulation in early 2017. Björksten added that the patch was the work of more than one coder.
At the time of opening Aadhaar registrations through private enrolment operators in 2010, UIDAI brought a standardised enrolment software called the Enrolment Client Multi-Platform (ECMP). The software needs to be installed on each enrolment computer. Björksten noted the decision to offer an installation package instead of giving a cloud-based solution to private enrolment operators put the critical components of Aadhaar at risk. This also eventually opened the avenue for a hack like the latest patch that is reportedly working on top of the enrolment software, and was created by “grafting code from older versions of Aadhaar enrolment software – which had fewer security features – onto newer versions of the software”.
The HuffPost India team says that the Aadhaar patch (along with the usernames and passwords needed to access UIDAI’s enrolment gateway) can be procured thousands from WhatsApp groups, and it comes at a charge of Rs. 2,500. It can be installed just as any other software on a computer, and by changing certain Java libraries using cut-paste commands. Once installed, the patch reportedly helps enrolment operators to abandon the use of their fingerprints to access the enrolment software. It is also said to disable the GPS and reduce the sensitivity of the iris scanner as well as extends to the duration of each login session. Since the patch enables private operators to use the enrolment software without using their fingerprints, a single operator can log into multiple machines simultaneously. This helps reduce the cost per enrolment and thus increasing its adoption among enrolment operators who are reportedly paid as little as Rs. 30 per enrolment.
The report cites a former Aadhaar enrolment operator to say that other operators were using the patch to privately create Aadhaar entries for a higher fee, between Rs. 100 and Rs. 500. The operator was also cited to say he’d written to UIDAI CEO and others to inform them about the ongoing illegal access. The patch is reportedly still effective, and other out-of-work operators have colluded with sources in authorised Aadhaar centres to “complete the registration process for a fee.”
The new software patch, doesn’t giving read access to the Aadhaar database, but instead enables the addition of new information to the Aadhaar system. This means that using the patch, fake identities could be added to the Aadhaar database. “If anybody is able to create an entry in the Aadhaar database, then potentially the person can create multiple Aadhaar cards. Then the same person can siphon off rations of multiple people,” said Rajendran Narayanan, Assistant Professor, Azim Premji University, Bengaluru, as quoted by HuffPost India.
HuffPost India claims that it provided a copy of the patch to National Critical Information Infrastructure Protection Centre (NCIIPC) earlier this year, but the government body that is the nodal agency responsible for Aadhaar security declined to share its findings. UIDAI also didn’t respond to the communication made before publishing the development. Moreover, some evidence of the mass-usage of the patch can be seen from the YouTube videos showing “ecmp bypass” tutorials.
We’ve reached out to UIDAI for clarity on the patch and also emailed a questionnaire to UIDAI CEO to understand the future steps to ensure legit registrations. We’ve received a statement from UIDAI on the issue, and you can see it in its entirety below. The authority essentially refutes the HuffPost India report, calling it “completely incorrect and irresponsible.” It reiterates that “certain vested interests are deliberately trying to create confusion in the minds of people,” something it had said last month during the Aadhaar toll-free number controversy.
UIDAI is currently working on a face recognition facility that was delayed in the recent past. The facility is aimed to bolster security by verifying users through facial recognition alongside iris and fingerprint scan.
“Unique Identification Authority of India (UIDAI) hereby dismisses a news report appearing in social and online media about Aadhaar Enrolment Software being allegedly hacked as completely incorrect and irresponsible. The claims lack substance and are baseless. UIDAI further said that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted.
UIDAI in a statement today said that claims made in the report about Aadhaar being vulnerable to tampering leading to ghost entries in Aadhaar database by purportedly bypassing operators’ biometric authentication to generate multiple Aadhaar cards is totally baseless. The report itself accepts that “it (patch) doesn’t seek to access information stored in the Aadhaar database”. Its further claim “to introduce information” into Aadhaar database is completely unfounded as UIDAI matches all the biometric (10 fingerprints and both iris) of a resident enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing an Aadhaar.
UIDAI said that it has taken all necessary safeguard measures spanning from providing standardized software that encrypts entire data even before saving to any disk, protecting data using tamper proofing, identifying every one of the of operators in “every” enrolment, identifying every one of thousands of machines using a unique machine registration process, which ensures every encrypted packet is tracked. UIDAI has taken full measures to ensure end-to-end security of resident data, spanning from full encryption of resident data at the time of capture, tamper resistance, physical security, access control, network security, stringent audit mechanism, 24×7 security and fraud management system monitoring, and measures such as data partitioning and data encryption within UIDAI controlled data centres.
UIDAI further clarified that no operator can make or update Aadhaar unless resident himself give his biometric. Any enrolment or update request is processed only after biometrics of the operator is authenticated and resident’s biometrics is de-duplicated at the backend of UIDAI system. UIDAI said that as part of its stringent enrolment and updation process, UIDAI checks enrolment operator’s biometric and other parameters before processing of the enrolment or updates and only after all checks are found to be successful, enrolment or update of resident is further processed. Therefore it is not possible to introduce ghost entries into Aadhaar database.
UIDAI said that even in a hypothetical situation where by some manipulative attempt, essential parameters such as operator’s biometrics or resident’s biometrics are not captured, blurred and such a ghost enrolment/update packet is sent to UIDAI, the same is identified by the robust backend system of UIDAI, and all such enrolment packets get rejected and no Aadhaar is generated. Also, the concerned enrolment machines and the operators are identified, blocked and blacklisted permanently from the UIDAI system. In appropriate cases, police complaints are also filed for such fraudulent attempts.
UIDAI said that similar allegations were also made before the Hon’ble Supreme Court during hearing of the Aadhaar case before the Constitution Bench which were then adequately responded by the UIDAI in the Hon’ble Supreme Court.
UIDAI said that reported claim of “anybody is able to create an entry into Aadhaar database, then the person can create multiple Aadhaar cards” is completely false. Some of the checks include biometric check of operator, validity of operator, enrolment machine, enrolment agency, registrar, etc. which are verified at UIDAI’s backend system before further processing is done. In cases where, any of the checks fails, the enrolment request gets rejected and therefore any claim of creating multiple Aadhaar and compromising the database is false.
If an operator is found violating UIDAI’s strict enrolment and update processes or if one indulges in any type of fraudulent or corrupt practices, UIDAI blocks and blacklists them and imposes financial penalty upto Rs.1 lakh per instance. It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.
UIDAI said that it keeps adding new security features in its system as required from time-to-time to thwart new security threats by unscrupulous elements.
UIDAI has also advised people to approach only the authorized Aadhaar enrolment centres in bank branches, post offices and Government offices for their enrolment/updation so that their enrolment/updation is done only on authorized machines and their efforts do not get wasted because of rejection of their enrolments or updates . (The list of authorized Aadhaar Kendra is available on UIDAI website www.uidai.gov.in).”